avc denied from postgresql

Richard Hally rhally at mindspring.com
Sat Jul 3 07:25:05 UTC 2004 

Russell Coker wrote:

> On Sat, 3 Jul 2004 09:39, Richard Hally <rhally at mindspring.com> wrote:
> 
>>Russell Coker wrote:
>>
>>>Let's get back to basics and look at the concepts rather than AVC
>>>messages.
>>>
>>>/etc/rc.d/init.d/postgresql uses su to change uid to start the daemon,
>>>this is a problem as it's not compatible with the usual su operation.
>>
>>Huh? su (Substitute User) has been to "Change the effective userid and
>>group id" since I first learned about it in 1978. And is being used for
>>that purpose in the init.d/postgresql stript.
> 
> 
> It's purpose is to change the effective UID/GID for interactive sessions.
> 
>>From su(1) on Fedora:
> su - run a shell with substitute user and group IDs
> 
>>From su(1) on Debian:
> su  is  used  to  become  another user during a login session.
> 
> There's no mention I could find in the documentation of using su for starting 
> daemons.
> 
> I think that there is no good reason for using su in this manner, and some 
> good reasons for not doing so.  The postgresql start scripts will have to be 
> changed.
> 
> 
>>>/etc/rc.d/init.d/postgresql does lots of things other than just starting
>>>a daemon, for example the code after:
>>>echo -n $"Initializing database: "
>>
>>Maybe we need a restorecon where it creates the data directory(if not
>>already present (a rare occurance)).
> 
> 
> It might be rare in terms of the number of times the daemon is started, but 
> from my understanding of the script it's expected to be done the first time 
> the daemon is started.  So it's inevitable that it happens at least once, and 
> therefore we have to handle it.
> 
> 
>>The real work part of initializing the data directory is done with "su
>>-l postgres -c ..." just like the part that starts the server(i.e. su -l
>>postgres -c ...)
>>
>>What is it about pam_selinux that is causing the problem?
> 
> 
> The fact that there is no identity, role, and domain defined for Postgres.  We 
> can configure the SE Linux policy to allow this, but it's the wrong approach.
> 
Ok, now I understand making a distinction about using su for starting a 
deamon.
What is the problem with defining a user role for postgres? And how 
would one go about doing that?

TFTH
Richard Hally

More information about the selinux mailing list